diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-06-14 16:26:57 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-06-14 16:26:57 +0000 |
commit | 12aaefa939974fe9970cff4e3f933d8411a9fa91 (patch) | |
tree | 0046b0d7b06d858a7e3029f3db3a650b0e466a81 | |
parent | dfdfc00312a60413daec62aa9cf7442db52605d9 (diff) | |
parent | 350e1a81dd559581bcf643e5a87ad89d6a9c0e5d (diff) |
Merge "Enable heat/puppet to manage the fernet keys and make it configurable"
-rw-r--r-- | puppet/services/keystone.yaml | 10 | ||||
-rw-r--r-- | releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml | 6 |
2 files changed, 15 insertions, 1 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 57e3286a..af494016 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -122,6 +122,14 @@ parameters: KeystoneFernetKeys: type: json description: Mapping containing keystone's fernet keys and their paths. + ManageKeystoneFernetKeys: + type: boolean + default: true + description: Whether TripleO should manage the keystone fernet keys or not. + If set to true, the fernet keys will get the values from the + saved keys repository in mistral (the KeystoneFernetKeys + variable). If set to false, only the stack creation + initializes the keys, but subsequent updates won't touch them. KeystoneLoggingSource: type: json default: @@ -258,7 +266,7 @@ outputs: '/etc/keystone/credential-keys/1': content: {get_param: KeystoneCredential1} keystone::fernet_keys: {get_param: KeystoneFernetKeys} - keystone::fernet_replace_keys: false + keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys} keystone::debug: if: - service_debug_unset diff --git a/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml new file mode 100644 index 00000000..64a4d7e7 --- /dev/null +++ b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml @@ -0,0 +1,6 @@ +--- +features: + - This introduces the ManageKeystoneFernetKeys parameter, which tells + heat/puppet if it should replace the existing fernet keys on a stack + deployment or not. This is useful if the deployer wants to do key rotations + out of band. |